EP3668135A1 - Authorization method for enabling or disabling resources and terminal - Google Patents
Authorization method for enabling or disabling resources and terminal Download PDFInfo
- Publication number
- EP3668135A1 EP3668135A1 EP18212665.6A EP18212665A EP3668135A1 EP 3668135 A1 EP3668135 A1 EP 3668135A1 EP 18212665 A EP18212665 A EP 18212665A EP 3668135 A1 EP3668135 A1 EP 3668135A1
- Authority
- EP
- European Patent Office
- Prior art keywords
- provider
- terminal
- sending
- authorization
- wireless communication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000013475 authorization Methods 0.000 title claims abstract description 123
- 238000000034 method Methods 0.000 title claims abstract description 43
- 238000004891 communication Methods 0.000 claims abstract description 57
- 230000004044 response Effects 0.000 claims abstract description 20
- 230000000903 blocking effect Effects 0.000 claims abstract description 16
- 238000012790 confirmation Methods 0.000 claims description 32
- 230000005540 biological transmission Effects 0.000 claims description 14
- 230000008569 process Effects 0.000 description 5
- 239000000047 product Substances 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 239000013589 supplement Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/20—Individual registration on entry or exit involving the use of a pass
- G07C9/27—Individual registration on entry or exit involving the use of a pass with central registration
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0825—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using asymmetric-key encryption or public key infrastructure [PKI], e.g. key signature or public key certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
-
- G—PHYSICS
- G07—CHECKING-DEVICES
- G07C—TIME OR ATTENDANCE REGISTERS; REGISTERING OR INDICATING THE WORKING OF MACHINES; GENERATING RANDOM NUMBERS; VOTING OR LOTTERY APPARATUS; ARRANGEMENTS, SYSTEMS OR APPARATUS FOR CHECKING NOT PROVIDED FOR ELSEWHERE
- G07C9/00—Individual registration on entry or exit
- G07C9/00174—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys
- G07C9/00309—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks
- G07C2009/00388—Electronically operated locks; Circuits therefor; Nonmechanical keys therefor, e.g. passive or active electrical keys or other data carriers without mechanical keys operated with bidirectional data transmission between data carrier and locks code verification carried out according to the challenge/response method
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/80—Wireless
- H04L2209/805—Lightweight hardware, e.g. radio-frequency identification [RFID] or sensor
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/108—Network architectures or network communication protocols for network security for controlling access to devices or network resources when the policy decisions are valid for a limited amount of time
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/60—Context-dependent security
- H04W12/69—Identity-dependent
- H04W12/77—Graphical identity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W4/00—Services specially adapted for wireless communication networks; Facilities therefor
- H04W4/80—Services using short range communication, e.g. near-field communication [NFC], radio-frequency identification [RFID] or low energy communication
Definitions
- the invention is concerned with an authorization method for releasing or locking resources, the method also being able to be used offline.
- the invention further relates to a corresponding terminal.
- the object of the present invention is therefore to provide a method which also enables offline, i.e. without an active connection between the provider and the authorizing party and / or between the terminal device and the authorizing party, to carry out authorization and resource release or blocking. This object is achieved by the present invention.
- the authorization request is preferably signed with a private key of the provider and contains a public and a private part.
- the public part of the authorization request is accessible to the terminal and the private part of the authorization request is encrypted with a public key of the authorizer
- This first aspect concerns the scenario that the provider is offline to the authorizing party.
- the third aspect is both separately according to the invention and in addition to the first or second aspect, that is to say in combination with the first aspect.
- the method according to the invention preferably further comprises the provision of a public and a private key for the provider and the authorizing party, and the provider and the authorizing party each know the other public key.
- the authorization request is preferably signed with a private key of the terminal and contains a public and a private part.
- the public part of the authorization request is accessible to the provider and the private part of the authorization request is encrypted with a public key of the authorizer.
- the transmission is preferably carried out by means of a device for wireless data transmission.
- the device for wireless data transmission preferably has near field communication, NFC, Bluetooth LE, QR code, barcode or sound.
- the mediator can be an application on the terminal.
- the invention further comprises a terminal for releasing or blocking resources, the terminal having means for wireless communication which are set up to send a resource request from the terminal to a provider, the transmission being carried out via an intermediary.
- the means for wireless communication are also set up to receive an authorization request from the provider via the intermediary to the terminal.
- the means for wireless communication are set up to send an authorization request from the terminal to an authorizing party, to receive a receipt with an authorization response from the authorizing party to the terminal and to send the receipt from the terminal to the provider.
- the means for wireless communication if there is at times no connection between the terminal and the authorizing party because the terminal is in an offline mode, are also set up to send a resource request from the terminal to a provider, the transmission being carried out via an intermediary, to receive an authorization request from the provider via the intermediary to the terminal and to send a receipt from the terminal to the provider with a certificate issued by the authorizer in advance.
- the invention further comprises a terminal for releasing or blocking resources, the terminal having means for wireless communication set up to send a resource request from the terminal to a provider, the transmission taking place via an intermediary.
- the provider also has means for wireless communication.
- the means for wireless communication of the provider are also set up to send an authorization request from the provider to the authorizing party and to receive an identified authorization request from the authorizing party to the provider.
- the means for wireless communication of the provider are set up to send the identified authorization request from the provider via the intermediary to the terminal send.
- the terminal is set up to create a local confirmation and, via means for wireless communication, to send this confirmation from the terminal via the intermediary to the provider.
- the means for wireless communication of the provider are also set up to send the confirmation from the provider to the authorizer, to validate the confirmation by the authorizer and to receive an authorization response from the authorizer back to the provider.
- the means for wireless communication of the terminal are also set up to send a resource request from a terminal to a provider, the transmission being carried out via an intermediary to receive an authorization request from the provider via the intermediary to the terminal , whereby the transmission takes place via the intermediary, and to send an authorization confirmation from the terminal to the provider and to compare it with a certificate issued in advance.
- an authorizer who decides on an authorization of a resource
- a provider who provides a resource
- client a user or terminal
- connection between the end device and the authorizing party and between the terminal device and the provider, but not between the provider and the authorizing party.
- the end device in terms of access to the authorizing party, the end device is online, but the provider is offline.
- This connection can be wireless or non-wireless.
- the provider and authorizer each have a private / public key pair, whereby the other person knows the public key.
- the provider Since the terminal is online and the provider is offline, the provider must therefore know the author's public key in order to be able to guarantee secure and secret communication between the provider and the authorizing party via the terminal. The party that communicates with the authorizing party must therefore not be able to view or change information that the provider only intended for the authorizing party.
- the method has the following steps, whereby the data can be sent from the terminal via the intermediary or can be carried out directly by the terminal: the terminal requests a resource from the provider.
- the provider sends a local authorization request back to the terminal.
- This authorization request is encrypted with the authoritative public key and signed with the provider's private key.
- the terminal device transmits the local authorization request to the authorizer.
- the authorizer grants or denies authorization and sends a receipt with the authorization response back to the end device.
- the receipt is encrypted with the provider's public key and signed with the authoritative private key.
- the document is then forwarded from the end device to the provider.
- the provider validates the document and compares it with the local authorization request. This means that the provider evaluates the authorization response and accordingly releases or blocks the resource.
- the authorization request is signed with the provider's private key and contains a public part and a private part.
- the public part is accessible to the intermediary and the end device, and the private part to the author.
- the private part of the authorization request is encrypted with the author's public key, which is known to the provider.
- Authorizers and providers can thus communicate confidentially and forgery-proof via a third party, the terminal or the intermediary, and provide the third party with data about the authorization. This procedure can also be used asynchronously and with a time delay.
- a clear identification can be used in the authorization request, which is sent back in the document.
- Each identification is preferably only valid for one transaction.
- Communication with the authorizing party is preferably encrypted via HTTPS with TLS 1.2+.
- Communication between the terminal and the provider is preferably via QR code, barcode, NFC, Bluetooth LE, sound or the like.
- the procedure in the event that the terminal is offline but the provider is online is described in more detail below.
- the terminal makes a resource request locally to the provider, which can be done via an intermediary.
- the authorization request for the release of a resource is transmitted from the provider to the authorizer, who sends back an identified authorization request that is assigned to the authorization request.
- This authorization request is signed with the private key of the authorizer and encrypted with the public key of the terminal.
- the provider transmits the authorization order to the terminal, preferably also via the intermediary.
- the end device creates a local confirmation, which is encrypted with the public key of the authorizing party and signed with the private key of the end device.
- This confirmation is transmitted from the terminal to the provider, preferably via the intermediary.
- the provider transmits the confirmation to the authorizer, who validates the same confirmation and sends an authorization response back to the provider.
- the terminal In particular, if the terminal is offline and the provider is online, the terminal must know the author's public key, so that secure and secret communication between the terminal and the author can take place via the provider. Thus, the party communicating with the authorizing party must not be able to view or change information that the terminal device is only intended for the authorizing party.
- connection can be wireless or non-wireless.
- an authorization method can nevertheless be carried out according to the present invention, although the terminal is offline.
- the terminal device receives a short-lived offline certificate of the actions allowed for it during a connection between the terminal device and the authorizing party. If a resource request is now sent from the terminal to the provider, the authorization request signed with the offline certificate is sent from the terminal to the provider. The provider now decides whether the requested resource can be released or blocked. As soon as there is a connection between the provider and the authorizing party, the signed offline requests are transmitted and checked by the authorizing party.
- a unique identification is preferably used to prevent multiple use of certificates, resource requests, authorization requests and receipts.
- the offline certificate enables authorization to be carried out even with a local connection between the end device and the provider.
- This certificate is preferably only issued to end devices or customers with verified identity and high creditworthiness.
- the provider can set certain parameters in advance (for example, a maximum amount and credit information in the case of payment authorization, security level in the case of access control, date of issue, etc.).
- the terminal preferably receives an offline certificate with the corresponding parameters at regular intervals when there is a connection between the terminal and the authorizing party (backend).
- the provider in turn, preferably receives revocation lists for offline certificates of the terminal devices at regular intervals if there is a connection between the provider and the authorizing party (backend).
- the authorization can still be carried out using the offline certificate.
- the provider creates a local authorization request, which is encrypted with the authoritative public key and signed with the provider's private key.
- the provider transmits a public part of the local authorization request to the terminal.
- the terminal creates a local confirmation (receipt) that is assigned to the authorization request. This is encrypted with the authoritative public key and signed with the end device's private key.
- the public part of the confirmation is sent to the provider together with the offline certificate.
- the provider validates the confirmation and checks the offline certificate and the public part of the confirmation. After the check, the provider can release or block the resource.
- all local authorization requests and confirmations are sent to the authorizing party or the backend.
- Sending and receiving from and to the end device can take place wirelessly, for example via near field communication (NFC), Bluetooth LE, QR code, barcode or sound.
- NFC near field communication
- Bluetooth LE Bluetooth LE
- QR code barcode or sound.
- the invention also includes a terminal with means for wireless communication, which is set up to carry out the method described above.
- the invention is illustrated by the following examples. The cases in which the terminal is offline, the provider is offline or the terminal and provider are offline are discussed here.
- Example 1 concerns access control to a building.
- the resource is the door
- the authorizer is a server that controls access to the door
- the provider is a door lock
- the user is a person who wants to open the door
- the intermediary is an application on a mobile device or similar. It is also assumed that between the door lock (Provider) and server (authoritative) there is no connection. In other words, the provider is offline in this case.
- the door lock (provider) sends the opening or authorization request back to the application.
- the application then sends the opening request to the server (authorizing party), which checks whether the user is authorized to open the door and whether the authorization request is signed with the private key of the door lock.
- the name of the resource (for example "north door") can be found for the user from the public part of the authorization request.
- the authorization request also has a specific ID to prevent multiple uses.
- the corresponding document with the authorization response is then sent back to the application and from there forwarded to the door lock. There it is checked whether the receipt has been signed with the private key of the server and whether the ID has not yet been used. If both apply, the user can open the door.
- the invention can, as in the following in Example 2 with reference to Fig. 2 is also used for a payment transaction.
- a product represents the resource, a payment platform the authorizer, a seller or a cash register system the provider, a buyer the user or a mobile device, and an application on the mobile device the intermediary. It is also assumed that there is no connection between the cash register system or seller (provider) and payment platform (authorizing party). In other words, the provider is offline in this case.
- the buyer communicates with the POS system using the application on the end device (resource request (S1)).
- the POS system transmits the authorization request, which includes the price and type of the goods, back to the application (S2).
- the public part of the authorization request is the shopping cart.
- the Buyers confirm the purchase, they receive the authorization request, which is then transmitted from the application to the payment platform (S3). If the payment platform issues a release, the buyer or the application receives a receipt with the authorization response (S4). This in turn is forwarded to the cash register system (S5), which can release or block the goods after a successful check (S6).
- the procedure is initially the same as in Example 2, except that the buyer needs an offline certificate in advance to communicate with the POS system. Instead of the transmission and receipt of the receipt to and from the payment platform, the application sends the offline certificate to the cash register system.
- This offline certificate is checked by the cash register system to determine whether it was signed by the payment platform, whether the certificate is valid, whether it was used to sign the same authorization request and whether it is authorized. If all of this applies, the goods will be released. As soon as the POS system is connected to the payment platform, the certificate and voucher are transmitted and booked accordingly.
- Examples 2 and 3 which used a payment process to illustrate the authorization process presented, are not to be understood as restrictive.
- the method described above in the event that the terminal and the provider are offline can also be used for other processes in which authorization is required.
- an exemplary method for the case that the terminal is offline is presented.
- the prerequisite for this is that the end device and the authorizing party know each other's public key.
- the provider submits an authorization request to the authorizer (1) (for example, a product with the associated price, access to a door, etc.).
- the authorizer sends an identified authorization request back to the provider (2), which is then forwarded by the provider to the terminal (3).
- the end device sends a confirmation back to the provider, which is signed by the end device (4).
- the private part of the confirmation is encrypted with the authoritative public key.
- the confirmation is in turn transmitted from the provider to the authorizer (5), who then sends an authorization response back to the provider (6).
- the provider subsequently releases or blocks the resource (7).
- resources can thus be released even if there is no connection between the provider and the authorizing device or the terminal device and authorizing person.
- the method can be used for all processes that require special authorization and identification of the user.
- the invention also includes individual features in the figures, even if they are shown there in connection with other features and / or are not mentioned above.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Mobile Radio Communication Systems (AREA)
Abstract
Die Erfindung befasst sich mit einem Autorisierungsverfahren zum Freigeben von Ressourcen, wobei das Verfahren auch offline verwendet werden kann. Insbesondere weist das Verfahren auf: Senden, über Mittel zur drahtlosen Kommunikation, einer Ressourcenanfrage von einem Endgerät an einen Anbieter, wobei das Senden über einen Mittler erfolgt. Senden einer Autorisierungsanfrage vom Anbieter zum Endgerät. Senden der Autorisierungsanfrage vom Endgerät zu einem Autorisierenden. Senden eines Belegs mit einer Autorisierungsantwort vom Autorisierenden zum Endgerät. Senden des Belegs vom Endgerät zum Anbieter und Freigabe oder Sperren der Ressource entsprechend der im Beleg enthaltenen Autorisierungsantwort. Falls keine Verbindung zwischen Endgerät und Autorisierendem besteht, weist das Verfahren die folgenden Schritte auf: Senden einer Ressourcenanfrage von einem Endgerät an einen Anbieter, wobei das Senden über einen Mittler erfolgt. Senden einer Autorisierungsanfrage vom Anbieter zum Endgerät. Senden eines Belegs mit einem vom Autorisierenden im Vorhinein ausgestellten Zertifikat vom Endgerät an den Anbieter und Freigabe oder Sperren der Ressource entsprechend des Belegs mit dem Zertifikat. The invention is concerned with an authorization method for releasing resources, wherein the method can also be used offline. In particular, the method comprises: sending, via means for wireless communication, a resource request from a terminal to a provider, the sending taking place via an intermediary. Send an authorization request from the provider to the end device. Sending the authorization request from the terminal to an authorizing party. Sending a receipt with an authorization response from the authorizer to the end device. Sending the receipt from the end device to the provider and releasing or blocking the resource according to the authorization response contained in the receipt. If there is no connection between the terminal device and the authorizing party, the method has the following steps: sending a resource request from a terminal device to a provider, the sending taking place via an intermediary. Send an authorization request from the provider to the end device. Sending a receipt with a certificate issued by the author in advance from the end device to the provider and releasing or blocking the resource according to the receipt with the certificate.
Description
Die Erfindung befasst sich mit einem Autorisierungsverfahren zum Freigeben oder Sperren von Ressourcen, wobei das Verfahren auch offline verwendet werden kann. Ferner betrifft die Erfindung ein entsprechendes Endgerät.The invention is concerned with an authorization method for releasing or locking resources, the method also being able to be used offline. The invention further relates to a corresponding terminal.
In herkömmlichen Autorisierungsverfahren für Transaktionen oder Datenübermittlung zwischen einem Benutzer, einem Anbieter und einem Autorisierenden muss stets eine Verbindung zwischen den Handelnden bestehen. In der Regel wird die Anfrage des Benutzers an den Anbieter gesendet, der beim Autorisierenden eine Freigabe ersucht. Die Antwort über die Ressourcenfreigabe wird dann wieder an den Anbieter übermittelt, der die Ressource dann an den Benutzer freigibt oder sie sperrt. Hierfür muss allerdings stets eine Verbindung zwischen Benutzer und Anbieter sowie zwischen Anbieter und Autorisierendem bestehen. Ist dies nicht der Fall, kann eine Autorisierung gegebenenfalls nicht erfolgen.In conventional authorization procedures for transactions or data transmission between a user, a provider and an authorizer, there must always be a connection between the agents. As a rule, the user's request is sent to the provider, who requests authorization from the authorizing party. The response about the resource release is then sent back to the provider, who then releases the resource to the user or blocks it. For this, however, there must always be a connection between the user and the provider as well as between the provider and the authorizing party. If this is not the case, authorization may not be possible.
Aufgabe der vorliegenden Erfindung ist es somit, ein Verfahren bereitzustellen, das es ermöglicht, auch offline, d.h. ohne aktive Verbindung zwischen Anbieter und Autorisierendem und/oder zwischen Endgerät und Autorisierendem, eine Autorisierung und Ressourcenfreigabe oder -sperrung durchzuführen. Diese Aufgabe wird durch die vorliegende Erfindung gelöst.The object of the present invention is therefore to provide a method which also enables offline, i.e. without an active connection between the provider and the authorizing party and / or between the terminal device and the authorizing party, to carry out authorization and resource release or blocking. This object is achieved by the present invention.
Gemäß einem ersten Aspekt wird ein Autorisierungsverfahren zur Freigabe oder zum Sperren von Ressourcen bereitgestellt, das die folgenden Schritte aufweist:
- Senden, über Mittel zur drahtlosen Kommunikation, einer Ressourcenanfrage von einem Endgerät an einen Anbieter, wobei das Senden über einen Mittler erfolgt.
- Senden, über Mittel zur drahtlosen Kommunikation, einer Autorisierungsanfrage vom Anbieter zum Endgerät, wobei das Senden über den Mittler erfolgt.
- Senden, über Mittel zur drahtlosen Kommunikation, der Autorisierungsanfrage vom Endgerät zu einem Autorisierenden.
- Senden, über Mittel zur drahtlosen Kommunikation, eines Belegs mit einer Autorisierungsantwort vom Autorisierenden zum Endgerät.
- Senden, über Mittel zur drahtlosen Kommunikation, des Belegs vom Endgerät zum Anbieter und
- Freigabe oder Sperren der Ressource entsprechend der im Beleg enthaltenen Autorisierungsantwort.
- Sending, via means for wireless communication, a resource request from a terminal to a provider, the sending taking place via an intermediary.
- Sending, via means for wireless communication, an authorization request from the provider to the terminal, the transmission being carried out via the intermediary.
- Sending, via means for wireless communication, the authorization request from the terminal to an authorizing party.
- Sending, via means for wireless communication, a receipt with an authorization response from the author to the terminal.
- Send, via means for wireless communication, the receipt from the terminal to the provider and
- Release or block the resource according to the authorization response contained in the document.
Bevorzugt ist die Autorisierungsanfrage mit einem privaten Schlüssel des Anbieters signiert und enthält einen öffentlichen und einen privaten Teil. Der öffentliche Teil der Autorisierungsanfrage ist für das Endgerät zugänglich und der private Teil der Autorisierungsanfrage ist mit einem öffentlichen Schlüssel des Autorisierenden verschlüsseltThe authorization request is preferably signed with a private key of the provider and contains a public and a private part. The public part of the authorization request is accessible to the terminal and the private part of the authorization request is encrypted with a public key of the authorizer
Dieser erste Aspekt berifft das Szenario, dass der Anbieter gegenüber dem Autorisierenden Offline ist.This first aspect concerns the scenario that the provider is offline to the authorizing party.
Ein zweiter Aspekt betrifft das Szenario, dass das Endgerät gegenüber dem Autorisierenden offline ist. Der zweite Aspekt ist sowohl separat erfindungsgemäß als auch in Ergänzung zum ersten Aspekt, also in Kombination mit der ersten Aspekt. Falls demnach zeitweise keine Verbindung zwischen Endgerät und Autorisierendem besteht, weil das Endgerät sich gegenüber dem Autorisierenden in einem Offline-Modus befindet, weist das erfindungsgemäße Autorisierungsverfahren - in Abwandlung vom bzw. Ergänzung zum geschilderten Autorisierungsverfahren des ersten Aspekts die folgenden Schritte auf:
- Senden, über Mittel zur drahtlosen Kommunikation, einer Ressourcenanfrage von einem Endgerät an einen Anbieter, wobei das Senden über einen Mittler erfolgt.
- Senden, über Mittel zur drahtlosen Kommunikation, einer Autorisierungsanfrage vom Anbieter zum Endgerät, wobei das Senden über den Mittler erfolgt.
- Senden, über Mittel zur drahtlosen Kommunikation, einer Autorisierungsbestätigung mit einem vom Autorisierenden im Vorhinein ausgestellten Zertifikat vom Endgerät an den Anbieter und
- Freigabe oder Sperren der Ressource entsprechend des Belegs mit dem Zertifikat.
- Sending, via means for wireless communication, a resource request from a terminal to a provider, the sending taking place via an intermediary.
- Sending, via means for wireless communication, an authorization request from the provider to the terminal, the transmission being carried out via the intermediary.
- Sending, via means for wireless communication, an authorization confirmation with a certificate issued by the authorizer in advance from the terminal to the provider and
- Release or block the resource according to the document with the certificate.
Hierbei wird davon ausgegangen, dass auch der Anbieter gegenüber dem Autorisierenden offline ist.It is assumed that the provider is also offline to the authorizing party.
Gemäß einem weiteren Aspekt, in dem das Endgerät offline ist, der Anbieter gegenüber dem Autorisierenden aber online ist, weist das Verfahren folgende Schritte auf:
- Senden, über Mittel zur drahtlosen Kommunikation, einer Ressourcenanfrage von einem Endgerät an einen Anbieter, wobei das Senden über einen Mittler erfolgt.
- Senden, über Mittel zur drahtlosen Kommunikation, einer Autorisierungsanfrage vom Anbieter zum Autorisierenden.
- Senden, über Mittel zur drahtlosen Kommunikation, einer identifizierten Autorisierungsanfrage vom Autorisierenden an den Anbieter.
- Senden, über Mittel zur drahtlosen Kommunikation, der identifizierten Autorisierungsanfrage vom Anbieter and das Endgerät, vorzugsweise über den Mittler.
- Anlegen, durch das Endgerät, einer lokalen Bestätigung, und
- Senden, über Mittel zur drahtlosen Kommunikation, dieser Bestätigung vom Endgerät an den Anbieter, vorzugsweise über den Mittler.
- Senden der Bestätigung vom Anbieter an den Autorisierenden.
- Validieren der Bestätigung durch den Autorisierenden und
- Senden einer Autorisierungsantwort vom Autorisierenden an den Anbieter zurück. Abschließend erfolgt die Freigabe oder das Sperren der Ressource durch den Anbieter an das Endgerät.
- Sending, via means for wireless communication, a resource request from a terminal to a provider, the sending taking place via an intermediary.
- Sending, via means for wireless communication, an authorization request from the provider to the authorizing party.
- Sending, via means for wireless communication, an identified authorization request from the authorizer to the provider.
- Sending, via means for wireless communication, the identified authorization request from the provider to the terminal, preferably via the intermediary.
- Create, through the terminal, a local confirmation, and
- Sending, via means for wireless communication, this confirmation from the terminal to the provider, preferably via the intermediary.
- Send the confirmation from the provider to the authorizer.
- Validate the authoritative confirmation and
- Send an authorization response from the authorizer back to the provider. Finally, the provider releases or blocks the resource on the end device.
Der dritte Aspekt ist sowohl separat erfindungsgemäß als auch in Ergänzung zum ersten oder zweiten Aspekt, also in Kombination mit dem ersten Aspekt.The third aspect is both separately according to the invention and in addition to the first or second aspect, that is to say in combination with the first aspect.
Das erfindungsgemäße Verfahren weist vorzugsweise ferner das Bereitstellen eines öffentlichen und eines privaten Schlüssels jeweils für den Anbieter und den Autorisierenden auf und Anbieter und Autorisierender kennen jeweils den anderen öffentlichen Schlüssel.The method according to the invention preferably further comprises the provision of a public and a private key for the provider and the authorizing party, and the provider and the authorizing party each know the other public key.
Bevorzugt ist die Autorisierungsanfrage gemäß dem dritten Aspekt mit einem privaten Schlüssel des Endgeräts signiert und enthält einen öffentlichen und einen privaten Teil. Der öffentliche Teil der Autorisierungsanfrage ist für den Anbieter zugänglich und der private Teil der Autorisierungsanfrage ist mit einem öffentlichen Schlüssel des Autorisierenden verschlüsselt.According to the third aspect, the authorization request is preferably signed with a private key of the terminal and contains a public and a private part. The public part of the authorization request is accessible to the provider and the private part of the authorization request is encrypted with a public key of the authorizer.
Das Senden wird bevorzugt mittels einer Vorrichtung zur drahtlosen Datenübertragung durchgeführt. Die Vorrichtung zur drahtlosen Datenübertragung weist bevorzugt Nahfeldkommunikation, NFC, Bluetooth LE, QR Code, Barcode oder Ton auf.The transmission is preferably carried out by means of a device for wireless data transmission. The device for wireless data transmission preferably has near field communication, NFC, Bluetooth LE, QR code, barcode or sound.
Der Mittler kann eine Anwendung auf dem Endgerät sein.The mediator can be an application on the terminal.
Die Erfindung umfasst ferner gemäß einem weiteren Aspekt ein Endgerät zum Freigeben oder Sperren von Ressourcen, wobei das Endgerät Mittel zur drahtlosen Kommunikation aufweist, die zum Senden einer Ressourcenanfrage von dem Endgerät an einen Anbieter eingerichtet sind, wobei das Senden über einen Mittler erfolgt. Die Mittel zur drahtlosen Kommunikation sind ferner dazu eingerichtet, eine Autorisierungsanfrage vom Anbieter über den Mittler zum Endgerät zu empfangen. Ferner sind die Mittel zur drahtlosen Kommunikation eingerichtet, eine Autorisierungsanfrage vom Endgerät zu einem Autorisierenden zu senden, einen Beleg mit einer Autorisierungsantwort vom Autorisierenden zum Endgerät zu empfangen und den Beleg vom Endgerät zum Anbieter zu senden.According to a further aspect, the invention further comprises a terminal for releasing or blocking resources, the terminal having means for wireless communication which are set up to send a resource request from the terminal to a provider, the transmission being carried out via an intermediary. The means for wireless communication are also set up to receive an authorization request from the provider via the intermediary to the terminal. Furthermore, the means for wireless communication are set up to send an authorization request from the terminal to an authorizing party, to receive a receipt with an authorization response from the authorizing party to the terminal and to send the receipt from the terminal to the provider.
Die Mittel zur drahtlosen Kommunikation sind, falls zeitweise keine Verbindung zwischen Endgerät und Autorisierendem besteht, weil das Endgerät sich in einem Offline-Modus befindet, ferner eingerichtet, eine Ressourcenanfrage von dem Endgerät an einen Anbieter zu senden, wobei das Senden über einen Mittler erfolgt, eine Autorisierungsanfrage vom Anbieter über den Mittler zum Endgerät zu empfangen und einen Beleg mit einem vom Autorisierenden im Vorhinein ausgestellten Zertifikat vom Endgerät an den Anbieter zu senden.The means for wireless communication, if there is at times no connection between the terminal and the authorizing party because the terminal is in an offline mode, are also set up to send a resource request from the terminal to a provider, the transmission being carried out via an intermediary, to receive an authorization request from the provider via the intermediary to the terminal and to send a receipt from the terminal to the provider with a certificate issued by the authorizer in advance.
Gemäß einem weiteren Aspekt umfasst die Erfindung ferner ein Endgerät zum Freigeben oder Sperren von Ressourcen, wobei das Endgerät Mittel zur drahtlosen Kommunikation aufweist eingerichtet zum Senden einer Ressourcenanfrage von dem Endgerät an einen Anbieter, wobei das Senden über einen Mittler erfolgt. Ferner weist der Anbieter Mittel zur drahtlosen Kommunikation auf. Die Mittel zur drahtlosen Kommunikation des Anbieters sind ferner eingerichtet, eine Autorisierungsanfrage vom Anbieter zum Autorisierenden zu senden, und eine identifizierte Autorisierungsanfrage vom Autorisierenden an den Anbieter zu empfangen. Weiterhin sind die Mittel zur drahtlosen Kommunikation des Anbieters eingerichtet, die identifizierte Autorisierungsanfrage vom Anbieter über den Mittler an das Endgerät zu senden. Das Endgerät ist eingerichtet, eine lokale Bestätigung anzulegen und, über Mittel zur drahtlosen Kommunikation, diese Bestätigung vom Endgerät über den Mittler an den Anbieter zu senden. Die Mittel zur drahtlosen Kommunikation des Anbieters sind ferner eingerichtet, die Bestätigung vom Anbieter an den Autorisierenden zu senden, die Bestätigung durch den Autorisierenden zu validieren und eine Autorisierungsantwort vom Autorisierenden an den Anbieter zurück zu empfangen.According to a further aspect, the invention further comprises a terminal for releasing or blocking resources, the terminal having means for wireless communication set up to send a resource request from the terminal to a provider, the transmission taking place via an intermediary. The provider also has means for wireless communication. The means for wireless communication of the provider are also set up to send an authorization request from the provider to the authorizing party and to receive an identified authorization request from the authorizing party to the provider. Furthermore, the means for wireless communication of the provider are set up to send the identified authorization request from the provider via the intermediary to the terminal send. The terminal is set up to create a local confirmation and, via means for wireless communication, to send this confirmation from the terminal via the intermediary to the provider. The means for wireless communication of the provider are also set up to send the confirmation from the provider to the authorizer, to validate the confirmation by the authorizer and to receive an authorization response from the authorizer back to the provider.
Falls zeitweise keine Verbindung zwischen Anbieter und Autorisierendem besteht, sind die Mittel zur drahtlosen Kommunikation des Endgeräts ferner eingerichtet eine Ressourcenanfrage von einem Endgerät an einen Anbieter zu senden, wobei das Senden über einen Mittler erfolgt, eine Autorisierungsanfrage vom Anbieter über den Mittler zum Endgerät zu empfangen, wobei das Senden über den Mittler erfolgt, und eine Autorisierungsbestätigung vom Endgerät an den Anbieter zu senden und mit einem im Vorhinein ausgestellten Zertifikat zu vergleichen.If at times there is no connection between the provider and the authorizing party, the means for wireless communication of the terminal are also set up to send a resource request from a terminal to a provider, the transmission being carried out via an intermediary to receive an authorization request from the provider via the intermediary to the terminal , whereby the transmission takes place via the intermediary, and to send an authorization confirmation from the terminal to the provider and to compare it with a certificate issued in advance.
Die vorliegende Erfindung wird anhand der Zeichnungen verdeutlicht. Es zeigen
-
Fig. 1 ein Ablaufdiagramm einer beispielhaften Ausführungsform -
Fig. 2 ein Ablaufdiagramm einer beispielhaften Ausführungsform; und -
Fig. 3 ein beispielhaftes Verfahren für den Fall, dass das Endgerät offline ist.
-
Fig. 1 a flowchart of an exemplary embodiment -
Fig. 2 a flowchart of an exemplary embodiment; and -
Fig. 3 an exemplary method in the event that the terminal is offline.
Erfindungsgemäß wird vorausgesetzt, dass ein Autorisierender (Resource Owner), der über eine Autorisierung einer Ressource entscheidet, ein Anbieter (Resource Provider), der eine Ressource bereitstellt und ein Benutzer bzw. Endgerät (Client) vorhanden sind. Auch ein Mittler (Agent) ist vorgesehen, der im Auftrag des Benutzers den Zugriff auf eine Ressource beantragt, wobei der Mittler aber auch eine Anwendung auf dem Endgerät sein kann.According to the invention, it is assumed that an authorizer (resource owner), who decides on an authorization of a resource, a provider (resource provider), who provides a resource and a user or terminal (client) are available. A mediator (agent) is also provided, which requests access to a resource on behalf of the user, but the mediator can also be an application on the terminal.
Es besteht eine Verbindung zwischen Endgerät und Autorisierendem sowie zwischen Endgerät und Anbieter, nicht jedoch zwischen Anbieter und Autorisierendem. Mit anderen Worten, im Sinne des Zugangs zum Autorisierenden ist das Endgerät online, der Anbieter aber offline. Diese Verbindung kann drahtlos oder nicht drahtlos erfolgen. Desweiteren besitzen Anbieter und Autorisierender jeweils ein privates/öffentliches Schlüsselpaar, wobei dem jeweiligen anderen der öffentliche Schlüssel bekannt ist. Die oben genannten Begrifflichkeiten sind jeweils synonym zu verstehen.There is a connection between the end device and the authorizing party and between the terminal device and the provider, but not between the provider and the authorizing party. In other words, in terms of access to the authorizing party, the end device is online, but the provider is offline. This connection can be wireless or non-wireless. Furthermore, the provider and authorizer each have a private / public key pair, whereby the other person knows the public key. The terms mentioned above are to be understood synonymously.
Da das Endgerät online ist und der Anbieter offline, muss der Anbieter also den öffentlichen Schlüssel des Autorisierenden kennen, um eine sichere und geheime Kommunikation zwischen Anbieter und Autorisierendem über das Endgerät gewährleisten zu können. Es darf also diejenige Partei, die mit dem Autorisierenden kommuniziert, nicht die Möglichkeit haben, Informationen einsehen oder ändern zu können, die vom Anbieter nur für den Autorisierenden gedacht sind.Since the terminal is online and the provider is offline, the provider must therefore know the author's public key in order to be able to guarantee secure and secret communication between the provider and the authorizing party via the terminal. The party that communicates with the authorizing party must therefore not be able to view or change information that the provider only intended for the authorizing party.
Bezugnehmend auf
Die Autorisierungsanfrage ist dabei mit dem privaten Schlüssel des Anbieters signiert und enthält einen öffentlichen Teil und einen privaten Teil. Der öffentliche Teil ist dabei unter anderem zugänglich für den Mittler und das Endgerät, der private Teil für den Autorisierenden. Der private Teil der Autorisierungsanfrage ist mit dem öffentlichen Schlüssel des Autorisierenden verschlüsselt, der dem Anbieter bekannt ist. Somit können Autorisierender und Anbieter vertraulich und fälschungssicher über eine dritte Instanz, das Endgerät bzw. den Mittler, kommunizieren und dabei der dritten Instanz Daten über die Autorisierung bereitstellen. Dieses Verfahren kann auch asynchron und zeitversetzt angewendet werden.The authorization request is signed with the provider's private key and contains a public part and a private part. The public part is accessible to the intermediary and the end device, and the private part to the author. The private part of the authorization request is encrypted with the author's public key, which is known to the provider. Authorizers and providers can thus communicate confidentially and forgery-proof via a third party, the terminal or the intermediary, and provide the third party with data about the authorization. This procedure can also be used asynchronously and with a time delay.
Um die mehrfache Verwendung von Autorisierungsanfragen ausschließen zu können, kann eine eindeutige Identifikation in der Autorisierungsanfrage verwendet werden, welche im Beleg zurückgesendet wird. Bevorzugt ist jede Identifikation nur für je eine Transaktion gültig.In order to be able to rule out the multiple use of authorization requests, a clear identification can be used in the authorization request, which is sent back in the document. Each identification is preferably only valid for one transaction.
Die Kommunikation mit dem Autorisierenden (auch als Backend bezeichnet) erfolgt bevorzugt verschlüsselt via HTTPS mit TLS 1.2+. Die Kommunikation zwischen Endgerät und Anbieter erfolgt bevorzugt über QR Code, Barcode, NFC, Bluetooth LE, Ton oder dergleichen.Communication with the authorizing party (also known as the backend) is preferably encrypted via HTTPS with TLS 1.2+. Communication between the terminal and the provider is preferably via QR code, barcode, NFC, Bluetooth LE, sound or the like.
Das Verfahren für den Fall, dass das Endgerät offline ist, der Anbieter jedoch online ist, wird im Folgenden näher beschrieben. Das Endgerät stellt lokal eine Ressourcenanfrage an den Anbieter, wobei dies über einen Mittler erfolgen kann. Die Autorisierungsanfrage zur Freigabe einer Ressource wird vom Anbieter an den Autorisierenden übermittelt, der einen identifizierten Autorisierungsauftrag, der der Autorisierungsanfrage zugeordnet ist, zurücksendet. Dieser Autorisierungsauftrag ist mit dem privaten Schlüssel des Autorisierers signiert und dem öffentlichen Schlüssel des Endgerätes verschlüsselt. Der Anbieter übermittelt den Autorisierungsauftrag an das Endgerät, ebenfalls vorzugsweise über den Mittler. Das Endgerät legt eine lokale Bestätigung an, die mit dem öffentlichen Schlüssel des Autorisierenden verschlüsselt und mit dem privaten Schlüssel des Endgeräts signiert ist. Diese Bestätigung wird vom Endgerät an den Anbieter übertragen, vorzugsweise über den Mittler. Der Anbieter übermittelt die Bestätigung an den Autorisierenden, der selbige Bestätigung validiert und eine Autorisiserungsantwort an den Anbieter zurücksendet.The procedure in the event that the terminal is offline but the provider is online is described in more detail below. The terminal makes a resource request locally to the provider, which can be done via an intermediary. The authorization request for the release of a resource is transmitted from the provider to the authorizer, who sends back an identified authorization request that is assigned to the authorization request. This authorization request is signed with the private key of the authorizer and encrypted with the public key of the terminal. The provider transmits the authorization order to the terminal, preferably also via the intermediary. The end device creates a local confirmation, which is encrypted with the public key of the authorizing party and signed with the private key of the end device. This confirmation is transmitted from the terminal to the provider, preferably via the intermediary. The provider transmits the confirmation to the authorizer, who validates the same confirmation and sends an authorization response back to the provider.
Insbesondere muss, falls das Endgerät offline ist und der Anbieter online, das Endgerät den öffentlichen Schlüssel des Autorisierenden kennen, so dass eine sichere und geheime Kommunikation zwischen Endgerät und Autorisierendem über den Anbieter erfolgen kann. Somit darf diejenige Partei, die mit dem Autorisierenden kommuniziert, nicht die Möglichkeit haben, Informationen einsehen oder ändern zu können, die vom Endgerät nur für den Autorisierenden gedacht sind.In particular, if the terminal is offline and the provider is online, the terminal must know the author's public key, so that secure and secret communication between the terminal and the author can take place via the provider. Thus, the party communicating with the authorizing party must not be able to view or change information that the terminal device is only intended for the authorizing party.
Die Verbindung kann jeweils drahtlos oder nicht drahtlos erfolgen.The connection can be wireless or non-wireless.
Im Folgenden Ausführungsbeispiel wird angenommen, dass die Beteiligten, d.h. Endgerät und Anbieter, offline sind, aber regelmäßig online gehen.In the following exemplary embodiment it is assumed that the participants, i.e. Device and provider are offline, but go online regularly.
Falls zeitweise keine Verbindung zwischen Endgerät und Autorisierendem besteht, da das Endgerät zeitweise offline ist, jedoch zumindest temporär eine Verbindung zwischen Autorisierendem und Anbieter besteht, kann gemäß der vorliegenden Erfindung - obwohl das Endgerät offline ist - dennoch ein Autorisierungsverfahren durchgeführt werden.If at times there is no connection between the terminal and the authorizing party, since the terminal is temporarily offline, but at least temporarily there is a connection between the authorizing party and the provider, an authorization method can nevertheless be carried out according to the present invention, although the terminal is offline.
Hierfür erhält das Endgerät während eine Verbindung zwischen Endgerät und Autorisierendem besteht ein kurzlebiges Offline-Zertifikat über die für es erlaubten Aktionen. Wird nun eine Ressourcenanfrage vom Endgerät an den Anbieter gesendet, so wird als Beleg vom Endgerät an den Anbieter die mit dem Offline-Zertifikat signierte Autorisierungsanfrage gesendet. Der Anbieter entscheidet nun, ob die angeforderte Ressource freigegeben werden kann oder gesperrt wird. Sobald wieder eine Verbindung zwischen Anbieter und Autorisierendem besteht, werden die signierten offline Anfragen übermittelt und vom Autorisierenden geprüft.For this purpose, the terminal device receives a short-lived offline certificate of the actions allowed for it during a connection between the terminal device and the authorizing party. If a resource request is now sent from the terminal to the provider, the authorization request signed with the offline certificate is sent from the terminal to the provider. The provider now decides whether the requested resource can be released or blocked. As soon as there is a connection between the provider and the authorizing party, the signed offline requests are transmitted and checked by the authorizing party.
Auch hier wird bevorzugt eine eindeutige Identifikation verwendet, um die Mehrfachnutzung von Zertifikaten, Ressourcenanfragen, Autorisierungsanfragen und Belegen zu verhindern.Here, too, a unique identification is preferably used to prevent multiple use of certificates, resource requests, authorization requests and receipts.
Das Offline Zertifikat ermöglicht es, auch nur mit einer lokalen Verbindung zwischen Endgerät und Anbieter eine Autorisierung durchzuführen. Dieses Zertifikat wird bevorzugt nur an Endgeräte bzw. Kunden mit verifizierter Identität und hoher Bonität ausgestellt. Der Anbieter kann dabei bestimmte Parameter im Vorhinein festsetzen (beispielsweise einen Maximalbetrag und Bonitätsinformationen im Falle einer Zahlungsautorisierung, Sicherheitsstufe im Falle einer Zugangskontrolle, Ausstellungsdatum usw.). Bevorzugt erhält das Endgerät in regelmäßigen Abständen, wenn eine Verbindung zwischen Endgerät und Autorisierendem (Backend) besteht, ein Offline Zertifikat mit den entsprechenden Parametern. Der Anbieter wiederum erhält bevorzugt in regelmäßigen Abständen, wenn eine Verbindung zwischen Anbieter und Autorisierendem (Backend) besteht, Sperrlisten für Offline Zertifikate der Endgeräte.The offline certificate enables authorization to be carried out even with a local connection between the end device and the provider. This certificate is preferably only issued to end devices or customers with verified identity and high creditworthiness. The provider can set certain parameters in advance (for example, a maximum amount and credit information in the case of payment authorization, security level in the case of access control, date of issue, etc.). The terminal preferably receives an offline certificate with the corresponding parameters at regular intervals when there is a connection between the terminal and the authorizing party (backend). The provider, in turn, preferably receives revocation lists for offline certificates of the terminal devices at regular intervals if there is a connection between the provider and the authorizing party (backend).
Falls also nur eine lokale Verbindung zwischen Endgerät und Anbieter besteht, jedoch keiner von beiden zum Zeitpunkt der Ressourcenanfrage eine Verbindung zum Autorisierenden hat, kann die Autorisierung dennoch mithilfe des Offline Zertifikats durchgeführt werden. Hierzu legt der Anbieter eine lokale Autorisierungsanfrage an, die mit dem öffentlichen Schlüssel des Autorisierenden verschlüsselt und mit dem privaten Schlüssel des Anbieters signiert ist. Der Anbieter übermittelt einen öffentlichen Teil der lokalen Autorisierungsanfrage an das Endgerät. Das Endgerät legt eine lokale Bestätigung (Beleg), die der Autorisierungsanfrage zugeordnet ist, an. Diese ist mit dem öffentlichen Schlüssel des Autorisierenden verschlüsselt und mit dem privaten Schlüssel des Endgeräts signiert. Der öffentliche Teil der Bestätigung wird gemeinsam mit dem Offline Zertifikat an den Anbieter übermittelt. Der Anbieter validiert die Bestätigung und prüft das Offline Zertifikat sowie den öffentlichen Teil der Bestätigung. Nach der Prüfung kann der Anbieter die Ressource freigegeben oder sperren. Sobald wieder eine Verbindung zwischen Anbieter und Autorisierendem besteht, werden alle lokalen Autorisierungsanfragen und Bestätigungen an den Autorisierenden bzw. das Backend übermittelt.If there is only a local connection between the end device and the provider, but neither of them has a connection to the authorizing party at the time of the resource request, the authorization can still be carried out using the offline certificate. For this purpose, the provider creates a local authorization request, which is encrypted with the authoritative public key and signed with the provider's private key. The provider transmits a public part of the local authorization request to the terminal. The terminal creates a local confirmation (receipt) that is assigned to the authorization request. This is encrypted with the authoritative public key and signed with the end device's private key. The public part of the confirmation is sent to the provider together with the offline certificate. The provider validates the confirmation and checks the offline certificate and the public part of the confirmation. After the check, the provider can release or block the resource. As soon as there is a connection between the provider and the authorizing party again, all local authorization requests and confirmations are sent to the authorizing party or the backend.
Das Senden und Empfangen von und zum Endgerät kann dabei kabellos erfolgen, beispielsweise via Nahfeldkommunikation (Near Field Communication, NFC), Bluetooth LE, QR Code, Barcode oder Ton.Sending and receiving from and to the end device can take place wirelessly, for example via near field communication (NFC), Bluetooth LE, QR code, barcode or sound.
Die Erfindung umfasst auch ein Endgerät mit Mitteln zur drahtlosen Kommunikation, das eingerichtet ist, das oben beschriebene Verfahren durchzuführen.The invention also includes a terminal with means for wireless communication, which is set up to carry out the method described above.
Die Erfindung soll anhand der folgenden Beispiele weiter erläutert werden. Hierbei wird auf die Fälle, dass das Endgerät offline ist, der Anbieter offline ist oder Endgerät und Anbieter offline sind, eingegangen.The invention is illustrated by the following examples. The cases in which the terminal is offline, the provider is offline or the terminal and provider are offline are discussed here.
Beispiel 1 betrifft eine Zugangskontrolle zu einem Gebäude. Hierbei ist die Ressource die Tür, der Autorisierende ein Server, der den Zugang zur Türe steuert, der Anbieter ein Türschloss, der Benutzer eine Person, die die Tür öffnen will und der Mittler eine Anwendung auf einem mobilen Endgerät o.ä. Dabei wird ferner angenommen, dass zwischen Türschloss (Anbieter) und Server (Autorisierendem) keine Verbindung besteht. Mit anderen Worten ist in diesem Fall der Anbieter offline.Example 1 concerns access control to a building. The resource is the door, the authorizer is a server that controls access to the door, the provider is a door lock, the user is a person who wants to open the door and the intermediary is an application on a mobile device or similar. It is also assumed that between the door lock (Provider) and server (authoritative) there is no connection. In other words, the provider is offline in this case.
Nach der Ressourcenanfrage durch die Anwendung (Mittler) sendet das Türschloss (Anbieter) die Öffnungs- bzw. Autorisierungsanfrage zurück an die Anwendung. Die Anwendung sendet daraufhin die Öffnungsanfrage an den Server (Autorisierender), der prüft, ob der Benutzer berechtigt ist, die Türe zu öffnen und ob die Autorisierungsanfrage mit dem privaten Schlüssel des Türschlosses signiert ist. Dem öffentlichen Teil der Autorisierungsanfrage kann dabei für den Benutzer der Name der Ressource (bspw. "Türe Nord") entnommen werden. Die Autorisierungsanfrage besitzt ferner eine spezifische ID, um Mehrfachverwendungen auszuschließen. Der entsprechende Beleg mit der Autorisierungsantwort wird dann an die Anwendung zurückgeschickt und von dort wiederum an das Türschloss weitergeleitet. Dort wird geprüft, ob der Beleg mit dem privaten Schlüssel des Servers signiert wurde und ob die ID noch nicht verwendet wurde. Falls beides zutrifft, kann der Benutzer die Türe öffnen.After the request for resources by the application (intermediary), the door lock (provider) sends the opening or authorization request back to the application. The application then sends the opening request to the server (authorizing party), which checks whether the user is authorized to open the door and whether the authorization request is signed with the private key of the door lock. The name of the resource (for example "north door") can be found for the user from the public part of the authorization request. The authorization request also has a specific ID to prevent multiple uses. The corresponding document with the authorization response is then sent back to the application and from there forwarded to the door lock. There it is checked whether the receipt has been signed with the private key of the server and whether the ID has not yet been used. If both apply, the user can open the door.
Das eben angeführte Beispiel einer Zugangskontrolle dient lediglich illustrativen Zwecken, die vorliegende Erfindung kann jedoch auf jeden Autorisierungsvorgang, bei dem der Anbieter offline ist, angewendet werden.The example of access control just given is for illustrative purposes only, but the present invention can be applied to any authorization process in which the provider is offline.
Die Erfindung kann, wie im Folgenden in Beispiel 2 mit Bezug auf
Nach der Auswahl einer Ware kommuniziert der Käufer mittels der Anwendung auf dem Endgerät mit dem Kassensystem (Ressourcenanfrage (S1)). Das Kassensystem übermittelt die Autorisierungsanfrage, die Preis und Typ der Ware beinhaltet, zurück an die Anwendung (S2). Der öffentliche Teil der Autorisierungsanfrage ist hierbei der Warenkorb. Sollte der Käufer den Kauf bestätigen, erhält er die Autorisierungsanfrage, welche daraufhin von der Anwendung an die Zahlungsplattform übermittelt wird (S3). Erteilt die Zahlungsplattform eine Freigabe, erhält der Käufer bzw. die Anwendung einen Beleg mit der Autorisierungsantwort (S4). Dies wird wiederum an das Kassensystem weitergeleitet (S5), welches nach erfolgreicher Überprüfung die Waren freigeben oder sperren kann (S6).After selecting a product, the buyer communicates with the POS system using the application on the end device (resource request (S1)). The POS system transmits the authorization request, which includes the price and type of the goods, back to the application (S2). The public part of the authorization request is the shopping cart. Should the Buyers confirm the purchase, they receive the authorization request, which is then transmitted from the application to the payment platform (S3). If the payment platform issues a release, the buyer or the application receives a receipt with the authorization response (S4). This in turn is forwarded to the cash register system (S5), which can release or block the goods after a successful check (S6).
Der Fall, dass keine Verbindung zwischen Kassensystem (Anbieter) und Zahlungsplattform (Autorisierender) besteht und der Käufer (Endgerät) ebenfalls kurzzeitig offline ist wird im folgenden Beispiel 3 erläutert. In diesem Beispiel sind sowohl Anbieter als auch Endgerät offline.The case that there is no connection between the checkout system (provider) and payment platform (authorizing party) and the buyer (end device) is also temporarily offline is explained in the following example 3. In this example, both the provider and the end device are offline.
Das Verfahren ist zunächst gleich wie in Beispiel 2, nur dass der Käufer im Vorhinein ein offline Zertifikat zur Kommunikation mit dem Kassensystem benötigt. Anstelle der Übermittlung und des Erhalts des Belegs an die und von der Zahlungsplattform wird dem Kassensystem von der Anwendung das offline Zertifikat übermittelt. Dieses offline Zertifikat wird vom Kassensystem dahingehend geprüft, ob es von der Zahlungsplattform signiert wurde, ob das Zertifikat gültig ist, ob die gleiche Autorisierungsanfrage damit signiert wurde und ob eine Berechtigung besteht. Wenn dies alles zutrifft, wird die Ware freigegeben. Sobald das Kassensystem in Verbindung mit der Zahlungsplattform steht, werden das Zertifikat und der Beleg übermittelt und entsprechend verbucht.The procedure is initially the same as in Example 2, except that the buyer needs an offline certificate in advance to communicate with the POS system. Instead of the transmission and receipt of the receipt to and from the payment platform, the application sends the offline certificate to the cash register system. This offline certificate is checked by the cash register system to determine whether it was signed by the payment platform, whether the certificate is valid, whether it was used to sign the same authorization request and whether it is authorized. If all of this applies, the goods will be released. As soon as the POS system is connected to the payment platform, the certificate and voucher are transmitted and booked accordingly.
Die Beispiele 2 und 3, die einen Zahlungsvorgang zur Veranschaulichung des vorgestellten Autorisierungsverfahrens benutzten, sind nicht als einschränkend zu verstehen. Das oben beschriebene Verfahren für den Fall, dass Endgerät und Anbieter offline sind, kann auch für andere Vorgänge, bei denen eine Autorisierung notwendig ist, angewandt werden.Examples 2 and 3, which used a payment process to illustrate the authorization process presented, are not to be understood as restrictive. The method described above in the event that the terminal and the provider are offline can also be used for other processes in which authorization is required.
Bezug nehmend auf
Mittels des eben vorgestellten Verfahrens kann somit auch bei fehlender Verbindung von Anbieter und Autorisierendem oder Endgerät und Autorisierendem die Freigabe von Ressourcen erfolgen. Neben den oben angeführten Beispielen zur Zahlung und Zugangsautorisierung kann das Verfahren für sämtliche Vorgänge, die eine spezielle Autorisierung und Identifikation des Benutzers erfordern, verwendet werden.Using the method just presented, resources can thus be released even if there is no connection between the provider and the authorizing device or the terminal device and authorizing person. In addition to the examples above for payment and access authorization, the method can be used for all processes that require special authorization and identification of the user.
Obwohl die Erfindung mittels der Figuren und der zugehörigen Beschreibung dargestellt und detailliert beschrieben ist, sind diese Darstellung und diese detaillierte Beschreibung illustrativ und beispielhaft zu verstehen und nicht als die Erfindung einschränkend. Es versteht sich, dass Fachleute Änderungen und Abwandlungen machen können, ohne den Umfang der folgenden Ansprüche zu verlassen. Insbesondere umfasst die Erfindung ebenfalls Ausführungsformen mit jeglicher Kombination von Merkmalen, die vorstehend zu verschiedenen Aspekten und/oder Ausführungsformen genannt oder gezeigt sind.Although the invention is illustrated and described in detail by means of the figures and the associated description, this illustration and this detailed description are to be understood as illustrative and exemplary and not as restrictive of the invention. It is understood that those skilled in the art can make changes and modifications without departing from the scope of the following claims. In particular, the invention also includes embodiments with any combination of features mentioned or shown above in various aspects and / or embodiments.
Die Erfindung umfasst ebenfalls einzelne Merkmale in den Figuren auch wenn sie dort im Zusammenhang mit anderen Merkmalen gezeigt sind und/oder vorstehend nicht genannt sind.The invention also includes individual features in the figures, even if they are shown there in connection with other features and / or are not mentioned above.
Im Weiteren schließt die Ausdrücke "umfassen", "aufweisen" und Ableitungen davon andere Elemente oder Schritte nicht aus. Ebenfalls schließt der unbestimmte Artikel "ein" bzw. "eine" und Ableitungen davon eine Vielzahl nicht aus. Die Funktionen mehrerer in den Ansprüchen aufgeführter Merkmale können durch eine Einheit erfüllt sein.Furthermore, the terms "comprise", "have" and derivatives thereof do not exclude other elements or steps. Likewise, the indefinite article "a" or "an" and derivatives thereof do not exclude a large number. The functions of several features listed in the claims can be fulfilled by one unit.
Claims (9)
Senden, über Mittel zur drahtlosen Kommunikation, des Belegs vom Endgerät zum Anbieter,
Sending, via means for wireless communication, the receipt from the terminal to the provider,
wobei Anbieter und Autorisierender jeweils den anderen öffentlichen Schlüssel kennen.The authorization method for releasing or blocking resources according to claim 1, the method further comprising providing a public and a private key for the provider and the authorizer, respectively
the provider and authorizing party each know the other public key.
wobei der öffentliche Teil der Autorisierungsanfrage für das Endgerät zugänglich ist und
wobei der private Teil der Autorisierungsanfrage mit einem öffentlichen Schlüssel des Autorisierenden verschlüsselt ist.Authorization method for releasing or blocking resources according to claim 1 or 2, wherein the authorization request is signed with a private key of the provider and contains a public and a private part,
the public part of the authorization request being accessible to the terminal and
the private part of the authorization request is encrypted with a public key of the authorizing party.
wobei das Verfahren ferner das Bereitstellen eines öffentlichen und eines privaten Schlüssels jeweils für das Endgerät und den Autorisierenden aufweist und
wobei Endgerät und Autorisierender jeweils den anderen öffentlichen Schlüssel kennen.Authorization method for releasing or blocking resources according to claim 4,
the method further comprising providing a public and a private key for the terminal and the authorizing party, respectively
where end device and authorizing person each know the other public key.
wobei der öffentliche Teil der Autorisierungsanfrage für den Anbieter zugänglich ist und
wobei der private Teil der Autorisierungsanfrage mit einem öffentlichen Schlüssel des Autorisierenden verschlüsselt ist.Authorization method for releasing or blocking resources according to claim 4 or 5, wherein authorization request is signed with a private key of the terminal and contains a public and a private part,
the public part of the authorization request is accessible to the provider and
the private part of the authorization request is encrypted with a public key of the authorizing party.
eine Autorisierungsanfrage vom Anbieter über den Mittler zum Endgerät zu empfangen, , und einen Beleg mit einem vom Autorisierenden im Vorhinein ausgestellten Zertifikat vom Endgerät an den Anbieter zu senden.Terminal for releasing or blocking resources, the terminal comprising:
to receive an authorization request from the provider via the intermediary to the terminal, and to send a receipt from the terminal to the provider with a certificate issued by the authorizer in advance.
Priority Applications (5)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP18212665.6A EP3668135B1 (en) | 2018-12-14 | 2018-12-14 | Authorization method for enabling or disabling resources and terminal |
EP19215879.8A EP3672308B1 (en) | 2018-12-14 | 2018-12-14 | Authorisierungsverfahren zum freigeben oder sperren von ressourcen und endgerät |
CA3065050A CA3065050C (en) | 2018-12-14 | 2019-12-13 | Authorisation method for the release or blocking of resources and client |
US16/713,072 US11374921B2 (en) | 2018-12-14 | 2019-12-13 | Authorization method for the release or blocking of resources and client |
CA3123372A CA3123372C (en) | 2018-12-14 | 2019-12-13 | Authorisation method for the release or blocking of resources and client |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP18212665.6A EP3668135B1 (en) | 2018-12-14 | 2018-12-14 | Authorization method for enabling or disabling resources and terminal |
Related Child Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP19215879.8A Division-Into EP3672308B1 (en) | 2018-12-14 | 2018-12-14 | Authorisierungsverfahren zum freigeben oder sperren von ressourcen und endgerät |
EP19215879.8A Division EP3672308B1 (en) | 2018-12-14 | 2018-12-14 | Authorisierungsverfahren zum freigeben oder sperren von ressourcen und endgerät |
Publications (2)
Publication Number | Publication Date |
---|---|
EP3668135A1 true EP3668135A1 (en) | 2020-06-17 |
EP3668135B1 EP3668135B1 (en) | 2020-12-09 |
Family
ID=64949036
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP18212665.6A Active EP3668135B1 (en) | 2018-12-14 | 2018-12-14 | Authorization method for enabling or disabling resources and terminal |
EP19215879.8A Active EP3672308B1 (en) | 2018-12-14 | 2018-12-14 | Authorisierungsverfahren zum freigeben oder sperren von ressourcen und endgerät |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
EP19215879.8A Active EP3672308B1 (en) | 2018-12-14 | 2018-12-14 | Authorisierungsverfahren zum freigeben oder sperren von ressourcen und endgerät |
Country Status (3)
Country | Link |
---|---|
US (1) | US11374921B2 (en) |
EP (2) | EP3668135B1 (en) |
CA (2) | CA3123372C (en) |
Families Citing this family (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11303450B2 (en) * | 2018-12-19 | 2022-04-12 | Visa International Service Association | Techniques for securely performing offline authentication |
US20230291548A1 (en) * | 2022-03-08 | 2023-09-14 | Western Digital Technologies, Inc. | Authorization requests from a data storage device to multiple manager devices |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090158402A1 (en) * | 2006-08-18 | 2009-06-18 | Huawei Technologies Co., Ltd. | System and method for authorizing access request for home network |
US20140201517A1 (en) * | 2011-12-27 | 2014-07-17 | Bradley W. Corrion | Method and system for distributed off-line logon using one-time passwords |
WO2018177720A1 (en) * | 2017-03-31 | 2018-10-04 | Siemens Mobility GmbH | Method for controlling access of an electronic device to a system and security device |
Family Cites Families (39)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6789068B1 (en) * | 1999-11-08 | 2004-09-07 | At&T Corp. | System and method for microbilling using a trust management system |
US20010034831A1 (en) * | 2000-04-19 | 2001-10-25 | Brustoloni Jose C. | Method and apparatus for providing internet access to client computers over a lan |
US7711122B2 (en) * | 2001-03-09 | 2010-05-04 | Arcot Systems, Inc. | Method and apparatus for cryptographic key storage wherein key servers are authenticated by possession and secure distribution of stored keys |
JP2002304383A (en) * | 2001-04-05 | 2002-10-18 | Nec Corp | System for providing program executing service, method for providing server and program executing service, and its program |
JP3926792B2 (en) * | 2001-06-12 | 2007-06-06 | リサーチ イン モーション リミテッド | System and method for compressing secure email for exchange with mobile data communication devices |
WO2002102009A2 (en) * | 2001-06-12 | 2002-12-19 | Research In Motion Limited | Method for processing encoded messages for exchange with a mobile data communication device |
US9462070B2 (en) * | 2006-11-17 | 2016-10-04 | Synchronica Plc | Protecting privacy in group communications |
US8238889B1 (en) * | 2007-04-10 | 2012-08-07 | Marvell International Ltd. | Server for wireless application service system |
CN102246190A (en) * | 2008-12-10 | 2011-11-16 | 西门子公司 | Method and system for supplying target information |
US8924715B2 (en) * | 2010-10-28 | 2014-12-30 | Stephan V. Schell | Methods and apparatus for storage and execution of access control clients |
WO2012060479A1 (en) * | 2010-11-02 | 2012-05-10 | Kim Seong Soo | System for providing location information certification management service, and method for providing same |
US8719952B1 (en) * | 2011-03-25 | 2014-05-06 | Secsign Technologies Inc. | Systems and methods using passwords for secure storage of private keys on mobile devices |
US20140317413A1 (en) * | 2012-03-29 | 2014-10-23 | Steven Deutsch | Secure remediation of devices requesting cloud services |
US11284251B2 (en) * | 2012-06-11 | 2022-03-22 | Samsung Electronics Co., Ltd. | Mobile device and control method thereof |
JP5958254B2 (en) * | 2012-09-28 | 2016-07-27 | ブラザー工業株式会社 | Specific server and communication device |
US9882955B2 (en) * | 2013-01-09 | 2018-01-30 | RetailNext, Inc. | Wireless analytics in physical spaces |
US10104554B2 (en) * | 2013-03-11 | 2018-10-16 | Time Warner Cable Enterprises Llc | Access control, establishing trust in a wireless network |
US9215075B1 (en) * | 2013-03-15 | 2015-12-15 | Poltorak Technologies Llc | System and method for secure relayed communications from an implantable medical device |
US11127001B2 (en) * | 2013-05-09 | 2021-09-21 | Wayne Fueling Systems Llc | Systems and methods for secure communication |
US9674194B1 (en) * | 2014-03-12 | 2017-06-06 | Amazon Technologies, Inc. | Privilege distribution through signed permissions grants |
US9313208B1 (en) * | 2014-03-19 | 2016-04-12 | Amazon Technologies, Inc. | Managing restricted access resources |
US20160212194A1 (en) * | 2015-01-16 | 2016-07-21 | Nokia Technologies Oy | Method, apparatus, and computer program product for device control |
WO2017021153A1 (en) * | 2015-07-31 | 2017-02-09 | British Telecommunications Public Limited Company | Expendable access control |
US11188907B1 (en) * | 2015-08-21 | 2021-11-30 | United Services Automobile Association (Usaa) | ACH authorization validation using public blockchains |
US11195177B1 (en) * | 2015-08-21 | 2021-12-07 | United Services Automobile Association (Usaa) | Distributed ledger systems for tracking recurring transaction authorizations |
US9781092B2 (en) * | 2015-08-26 | 2017-10-03 | Facebook, Inc. | Authenticating users to media-player devices on online social networks |
US11250432B2 (en) * | 2016-04-13 | 2022-02-15 | America Express Travel Related Services Company, Inc. | Systems and methods for reducing fraud risk for a primary transaction account |
US11516195B2 (en) * | 2016-06-20 | 2022-11-29 | Nippon Telegraph And Telephone Corporation | Terminal device, key distribution management device, server-client system, communication method, and programs |
EP3282638A1 (en) * | 2016-08-11 | 2018-02-14 | Gemalto Sa | A method for provisioning a first communication device by using a second communication device |
US11282137B2 (en) * | 2016-10-07 | 2022-03-22 | The Toronto-Dominion Bank | Secure element method for distributed electronic ledger |
US10397236B1 (en) * | 2016-12-12 | 2019-08-27 | Amazon Technologies, Inc. | Anamoly detection and recovery of a corrupted computing resource |
CN111278150B (en) * | 2017-08-02 | 2021-10-22 | Oppo广东移动通信有限公司 | Uplink transmission method and terminal equipment |
SG10201708731UA (en) * | 2017-10-24 | 2019-05-30 | Mastercard International Inc | System And Method For Electronic Payment On Delivery |
US11199832B2 (en) * | 2018-01-24 | 2021-12-14 | International Business Machines Corporation | Managing activities on industrial products according to compliance with reference policies |
US11282123B2 (en) * | 2018-03-29 | 2022-03-22 | Rovi Guides, Inc. | Methods and systems for providing media asset recommendations based on distributed blockchain analysis |
JP7414526B2 (en) * | 2018-04-16 | 2024-01-16 | エルジー エレクトロニクス インコーポレイティド | Apparatus and method for transmitting data streams in a wireless power transmission system |
EP3794472A4 (en) * | 2018-05-14 | 2021-12-22 | Hewlett-Packard Development Company, L.P. | Authorized printing |
US10742659B1 (en) * | 2018-05-15 | 2020-08-11 | Cox Communications, Inc. | Restricted content access provision based on third-party verification |
US11645375B2 (en) * | 2018-09-27 | 2023-05-09 | International Business Machines Corporation | Authorization of resource access |
-
2018
- 2018-12-14 EP EP18212665.6A patent/EP3668135B1/en active Active
- 2018-12-14 EP EP19215879.8A patent/EP3672308B1/en active Active
-
2019
- 2019-12-13 US US16/713,072 patent/US11374921B2/en active Active
- 2019-12-13 CA CA3123372A patent/CA3123372C/en active Active
- 2019-12-13 CA CA3065050A patent/CA3065050C/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20090158402A1 (en) * | 2006-08-18 | 2009-06-18 | Huawei Technologies Co., Ltd. | System and method for authorizing access request for home network |
US20140201517A1 (en) * | 2011-12-27 | 2014-07-17 | Bradley W. Corrion | Method and system for distributed off-line logon using one-time passwords |
WO2018177720A1 (en) * | 2017-03-31 | 2018-10-04 | Siemens Mobility GmbH | Method for controlling access of an electronic device to a system and security device |
Also Published As
Publication number | Publication date |
---|---|
EP3668135B1 (en) | 2020-12-09 |
EP3672308B1 (en) | 2021-08-25 |
CA3065050A1 (en) | 2020-06-14 |
CA3123372C (en) | 2024-01-02 |
US11374921B2 (en) | 2022-06-28 |
CA3065050C (en) | 2022-07-19 |
EP3672308A1 (en) | 2020-06-24 |
US20200195634A1 (en) | 2020-06-18 |
CA3123372A1 (en) | 2020-06-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
EP2997550B2 (en) | Method for controlling access | |
EP3256977B1 (en) | Computer-implemented method for access control | |
DE69829642T2 (en) | AUTHENTICATION SYSTEM WITH CHIP CARD | |
DE60119857T2 (en) | Method and device for executing secure transactions | |
WO2016192842A1 (en) | Terminal and method for mobile payment with trusted execution environment | |
EP3125492A1 (en) | Method and system for generating a secure communication channel for terminals | |
WO2016005377A1 (en) | Method and system for authenticating a user | |
WO2009003605A2 (en) | Virtual prepaid or credit card and method and system for providing such and for electronic payment transactions | |
EP1331754A1 (en) | Method controlling access in a Wireless Local Area Network | |
DE4142964A1 (en) | DATA EXCHANGE SYSTEM WITH CHECKING OF THE DEVICE FOR AUTHENTICATION STATUS | |
EP2715684A1 (en) | Electronic system for quickly and securely processing transactions using mobile devices | |
EP3672308B1 (en) | Authorisierungsverfahren zum freigeben oder sperren von ressourcen und endgerät | |
DE102012221288A1 (en) | A method, apparatus and service means for authenticating a customer to a service to be provided by a service means | |
AT504581B1 (en) | METHOD AND SYSTEM FOR READING DATA FROM A MEMORY OF A REMOTE DEVICE THROUGH A SERVER | |
EP2932446A1 (en) | Reputation system and method | |
EP3254432B1 (en) | Method for authorization management in an arrangement having multiple computer systems | |
EP2893668B1 (en) | Method for generating a derived authority from an original data carrier | |
WO2013011043A1 (en) | Mobile system for financial transactions | |
DE10300515A1 (en) | Single sign-on method and apparatus for paying in networks | |
EP3283999B1 (en) | Electronic system for producing a certificate | |
EP4177808B1 (en) | Selectively anonymizing cryptocurrency transaction | |
EP3502971B1 (en) | Processor chip card and method for its operation | |
EP3198546A1 (en) | Transaction method | |
DE102021003724A1 (en) | Method for the identification of a person by means of a credit card number and identification system | |
DE102019114844A1 (en) | Method and control device for the secure verification of an electronic ticket |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: EXAMINATION IS IN PROGRESS |
|
PUAI | Public reference made under article 153(3) epc to a published international application that has entered the european phase |
Free format text: ORIGINAL CODE: 0009012 |
|
17P | Request for examination filed |
Effective date: 20190114 |
|
AK | Designated contracting states |
Kind code of ref document: A1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
AX | Request for extension of the european patent |
Extension state: BA ME |
|
GRAP | Despatch of communication of intention to grant a patent |
Free format text: ORIGINAL CODE: EPIDOSNIGR1 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: GRANT OF PATENT IS INTENDED |
|
RIC1 | Information provided on ipc code assigned before grant |
Ipc: H04W 12/08 20090101ALN20200703BHEP Ipc: G07C 9/27 20200101ALI20200703BHEP Ipc: H04L 29/06 20060101ALN20200703BHEP Ipc: H04L 9/32 20060101ALI20200703BHEP Ipc: H04W 88/04 20090101ALN20200703BHEP Ipc: G07C 9/00 20200101ALN20200703BHEP Ipc: H04W 12/06 20090101AFI20200703BHEP |
|
INTG | Intention to grant announced |
Effective date: 20200724 |
|
GRAS | Grant fee paid |
Free format text: ORIGINAL CODE: EPIDOSNIGR3 |
|
GRAA | (expected) grant |
Free format text: ORIGINAL CODE: 0009210 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: THE PATENT HAS BEEN GRANTED |
|
AK | Designated contracting states |
Kind code of ref document: B1 Designated state(s): AL AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HR HU IE IS IT LI LT LU LV MC MK MT NL NO PL PT RO RS SE SI SK SM TR |
|
REG | Reference to a national code |
Ref country code: GB Ref legal event code: FG4D Free format text: NOT ENGLISH |
|
REG | Reference to a national code |
Ref country code: AT Ref legal event code: REF Ref document number: 1344605 Country of ref document: AT Kind code of ref document: T Effective date: 20201215 Ref country code: CH Ref legal event code: EP |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R096 Ref document number: 502018003258 Country of ref document: DE |
|
REG | Reference to a national code |
Ref country code: IE Ref legal event code: FG4D Free format text: LANGUAGE OF EP DOCUMENT: GERMAN |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: NO Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210309 Ref country code: GR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210310 Ref country code: RS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20201209 Ref country code: FI Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20201209 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: LV Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20201209 Ref country code: SE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20201209 Ref country code: BG Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210309 |
|
REG | Reference to a national code |
Ref country code: NL Ref legal event code: MP Effective date: 20201209 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: NL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20201209 Ref country code: HR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20201209 |
|
REG | Reference to a national code |
Ref country code: LT Ref legal event code: MG9D |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: CZ Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20201209 Ref country code: EE Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20201209 Ref country code: SM Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20201209 Ref country code: SK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20201209 Ref country code: RO Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20201209 Ref country code: PT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210409 Ref country code: LT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20201209 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: PL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20201209 |
|
REG | Reference to a national code |
Ref country code: BE Ref legal event code: MM Effective date: 20201231 |
|
REG | Reference to a national code |
Ref country code: DE Ref legal event code: R097 Ref document number: 502018003258 Country of ref document: DE |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: MC Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20201209 Ref country code: IS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210409 |
|
PLBE | No opposition filed within time limit |
Free format text: ORIGINAL CODE: 0009261 |
|
STAA | Information on the status of an ep patent application or granted ep patent |
Free format text: STATUS: NO OPPOSITION FILED WITHIN TIME LIMIT |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: AL Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20201209 Ref country code: LU Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20201214 Ref country code: IT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20201209 Ref country code: IE Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20201214 |
|
26N | No opposition filed |
Effective date: 20210910 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: DK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20201209 Ref country code: SI Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20201209 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: ES Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20201209 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: IS Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20210409 Ref country code: TR Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20201209 Ref country code: MT Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20201209 Ref country code: CY Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20201209 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: MK Free format text: LAPSE BECAUSE OF FAILURE TO SUBMIT A TRANSLATION OF THE DESCRIPTION OR TO PAY THE FEE WITHIN THE PRESCRIBED TIME-LIMIT Effective date: 20201209 |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: BE Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20201231 |
|
REG | Reference to a national code |
Ref country code: CH Ref legal event code: PL |
|
PG25 | Lapsed in a contracting state [announced via postgrant information from national office to epo] |
Ref country code: LI Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20211231 Ref country code: CH Free format text: LAPSE BECAUSE OF NON-PAYMENT OF DUE FEES Effective date: 20211231 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: GB Payment date: 20231212 Year of fee payment: 6 |
|
PGFP | Annual fee paid to national office [announced via postgrant information from national office to epo] |
Ref country code: FR Payment date: 20231212 Year of fee payment: 6 Ref country code: DE Payment date: 20231212 Year of fee payment: 6 |